The Center for Long-Term Cybersecurity launched the “What? So What? Now What?” video series to provide understandable explanations of complex topics. Each video looks at a subject through a three-part lens: 1) What? (What is the definition of the topic, at a high level?) 2) So What? (Why does it matter?) and 3) Now What? (What can or should be done about it?).
Past videos in the series have focused on topics such as adversarial machine learning, differential privacy, and synthetic media (or “deepfakes”). (See all the videos here.)
The latest release in the series focuses on “Zero Trust,” an approach to digital security that is quickly becoming an industry standard because it is well-suited for the era of cloud computing. “Zero Trust shifts the focus of threat detection from a location-centric model, based on the network perimeter, toward validating the identity and need for access of individual devices and users, regardless of their location,” the video explains.
Like the previous videos, the Zero Trust explainer was animated by Annalise Kamegawa, a recent UC Berkeley graduate who is currently studying Integrated Product Design at Politecnico di Milano. CLTC would also like to thank Cindy Miner Kapelke for providing narration, as well as Nick Merrill, James Richberg, and Vinicius Da Costa, who offered helpful feedback on the script.
The video can be viewed above or on YouTube. A transcript is provided below.
Additional Resources on Zero Trust
- Zero Trust Architecture, a publication of the National Institute of Standards and Technology (NIST), “contains an abstract definition of zero trust architecture (ZTA) and gives general deployment models and use cases where zero trust could improve an enterprise’s overall information technology security posture.”
- Planning for a Zero Trust Architecture: A Planning Guide for Federal Administrators: This related white paper from NIST “provides an overview of the NIST Risk Management Framework (NIST RMF) and how the NIST RMF can be applied when developing and implementing a zero trust architecture.”
Transcript
Computer networks have traditionally been designed around the principle of “trust.” Organizations give password access to employees, vendors, or others, as long as they have a reason to be there.
The problem is, computer networks aren’t housed in a single location. And not everyone who gets inside a network is who they say they are. Once they’re inside, imposters can snoop around, leading to data theft, or damaging cyber attacks.
That’s why many organizations have adopted a new model for security, called “Zero Trust.” Zero Trust is a way of thinking about network architecture based on the motto, “never trust, always verify.”
Zero Trust shifts the focus of threat detection from a location-centric model, based on the network perimeter, toward validating the identity and need for access of individual devices and users, regardless of their location.
Instead of trusting devices based on their identity or log-in credentials, in Zero Trust, devices must constantly prove their trustworthiness to the rest of the organization.
Zero trust uses an approach called least privilege, which means that you only give the minimum level of access necessary to accomplish the task at hand.
In the Zero Trust model, networks are divided into segments. Each segment is like a safe, with its own special security restrictions. With network segmentation, organizations can isolate their most important data and applications.
This model helps ensure that even if someone has access to one piece of private information, like a password, they can’t do damage to the whole network.
The Zero Trust model is becoming state of the art, and most major organizations are moving in this direction.
Zero Trust is an important new model for cybersecurity because it is well suited for the distributed and shared nature of cloud computing.
If you’re trying to understand zero trust, here are some things to know.
Zero Trust is not just about software, and there is no one size fits all solution. You’ll need to map how data flows across your specific network, and establish policies that will be used to monitor and maintain the system over time.
While there are plenty of vendors who can help your organization implement a Zero Trust strategy, be sure to avoid anyone selling solutions that claim to do everything.
Remember, Zero Trust is an operating philosophy rather than a specific product. It’s a set of principles for organizing networks and connections between users, data, and computing resources, regardless of where they are located.
It can take time to get used to new practices, so it’s important to dedicate resources for training and generating buy-in.
You should also communicate to users that “Zero Trust” means that no device is intrinsically trusted. It does not mean employees aren’t trusted by their managers.
But it is important to think about privacy. Increased monitoring means employers could be collecting more data about employees, such as location data, but cryptographic approaches to privacy can mitigate this risk.
Zero Trust requires conducting regular audits as well as Red Team penetration attacks (when you enlist insiders to try to break into your system.)
Of course, Zero Trust doesn’t change everything. It is a tool for managing risks, not for making computing and network access risk-free. Basic cyber hygiene and real-time monitoring of the network are still important in a Zero Trust implementation. It also requires a level of resources that not all organizations have.
But there are many people working to reduce barriers to Zero Trust.
The US National Institute of Standards and Technology has developed helpful educational resources, including a roadmap for implementing a Zero Trust architecture.
The important thing is to start planning with a Zero Trust mindset.
It’s clear that Zero Trust is what’s on the horizon for network security, so we hope this helps you understand the basics. In the end, the results will be worth it.